verify attributes

Signed-off-by: Shiwei Zhang <[email protected]>
chloeyin · Feb 15, 2022 · 4d4a42c · 4d4a42c
1 parent b3e4af6
commit 4d4a42c
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 4 deletions.
diff --git a/pkg/cose/signer.go b/pkg/cose/signer.go
@@ -80,10 +80,10 @@ func (s *Signer) Sign(ctx context.Context, desc notation.Descriptor, opts notati
 		1:     s.base.GetAlg().Value,    // alg
 		2:     []interface{}{3},         // crit
 		3:     MediaTypeNotationPayload, // cty
-		"iat": time.Now().UTC(),
+		"iat": time.Now().Unix(),
 	}
 	if !opts.Expiry.IsZero() {
-		msg.Headers.Protected["exp"] = opts.Expiry.UTC()
+		msg.Headers.Protected["exp"] = opts.Expiry.Unix()
 	}
 	if err := msg.Sign(rand.Reader, nil, *s.base); err != nil {
 		return nil, err

diff --git a/pkg/cose/verifier.go b/pkg/cose/verifier.go
@@ -181,9 +181,30 @@ func (v *Verifier) verifyCOSE(verifier *cose.Verifier, msg *cose.Sign1Message) e
 		return err
 	}
 
-	// ensure required attributes exist.
-	if _, ok := header["iat"].(int); !ok {
+	// verify attributes
+	var issuedAt time.Time
+	if value, ok := header["iat"]; !ok {
 		return errors.New("missing iat")
+	} else if unix, ok := value.(int); !ok {
+		return errors.New("invalid iat")
+	} else {
+		issuedAt = time.Unix(int64(unix), 0)
+	}
+	now := time.Now()
+	if issuedAt.After(now) {
+		return errors.New("signature used before generated")
+	}
+
+	if value, ok := header["exp"]; ok {
+		unix, ok := value.(int)
+		if !ok {
+			return errors.New("invalid exp")
+		}
+		expiresAt := time.Unix(int64(unix), 0)
+		if !now.Before(expiresAt) {
+			delta := now.Sub(expiresAt)
+			return fmt.Errorf("signature is expired by %v", delta)
+		}
 	}
 	return nil
 }